heise PlusAbo
Anzeige

Cyber security in hospitals: what happens if the patient comes to harm?

Due to digitalization, IT security is becoming increasingly important in hospitals. But who is responsible if a cyber attack harms the patient?

listen Print view
Hospital bed being pushed through a hospital corridor by hospital staff. Another ceiling is white hospital light. The floor is white. Everything looks clinical.

(Image: Sirisak_baokaew/Shutterstock.com)

9 min. read
By
  • Tilmann Dittrich
  • Dr. Matthias Dann
Contents

Cybersecurity plays a central role in hospitals. Many business processes are digitalized. Sensitive health data is processed in the process. With the ever-increasing digitalization of medicine, there is even a risk to life and limb if an IT-supported process is disrupted. Cyber incidents can be caused by internal errors, but also by external attacks. The causes often overlap. If there is damage to life or limb, the question of criminal liability is not far away. This applies not only to cyber criminals, but also to hospital managers.

Threat situation and the attack on DĂĽsseldorf University Hospital

The threat situation in German hospitals can only be quantified to a limited extent, but according to the German Federal Office for Information Security (BSI), the healthcare sector is considered to be particularly at risk. Figures are only available for the so-called KRITIS sector, i.e. for hospitals that are covered by the German Federal Office for Information Security Act (BSIG). These are currently hospitals that have 30,000 or more full inpatient treatment cases per year. Around 5 to 10 percent of hospitals meet this requirement. The KRITIS sector of healthcare, which is largely characterized by hospitals, has the second highest number of incident reports in the BSI's latest situation report.

Videos by heise

The cyberattack on DĂĽsseldorf University Hospital in 2019 was particularly memorable, as the attack caused the emergency room to be shut down for days. One patient had to be transported to a more distant hospital due to the closure of the emergency department. She died during the transport. The public prosecutor's investigation into the unknown perpetrators has been extended to a possible homicide. As it could not be established with a probability bordering on certainty that there was a causal link between the attack and the patient's death, the investigation into the homicide was discontinued.

Initial studies from the USA indicate that in three out of four cases, patient care deteriorates as a result of a cyberattack. According to the study, the probability of dying in a hospital increases by 20 to 35 percent if it is the victim of a cyberattack.

Read also

Is the hospital management acting deliberately?

If a patient is physically harmed as a result of a cyberattack, the bodily injury and homicide offenses of the German Criminal Code (StGB) come to mind. The management of the hospital could be accused of not having taken sufficient safety measures and only for this reason could the harmful event have occurred. This is an accusation of omission (§ 13 StGB). The omitting party must assume a so-called guarantor position vis-à-vis the respective victim. The management could have such a position because it is responsible for the "healthcare service". Roughly simplified, this responsibility includes – – the duty to take appropriate measures to prevent harm to the life and limb of patients.

While no causal link between the attack and the death could be proven in the DĂĽsseldorf case, the hospital management is also unlikely to have acted with intent. This requires the perpetrator to at least accept that the result of the offense will occur as a result of their actions or omissions, i.e. that the patient will either die or suffer damage to their health as a result of the cyberattack. In this respect, the decisive factor is whether the management has made a risk-adequate decision regarding the IT security measures on the basis of comprehensive information. In this case, it must be credited with having seriously trusted that no damage would be caused to a person. This rules out deliberate action.

In future, it will be even more challenging to establish intent in cyber security incidents. The reason for this is the NIS 2 Directive, i.e. the EU's second Network and Information Security Directive. This should have been transposed into national law by October 2024. However, implementation is still delayed. It will significantly increase the scope and requirements of the BSIG. Presumably all planned hospitals in Germany will be covered by the BSIG in future. In future, the slogan "Cyber security is a matter for the boss" will also be explicitly included in the law. The management must initiate the risk management processes in the company and monitor their implementation. In order to do this, they must undergo regular training in IT risk management. This can lead to them being assumed to have a higher level of knowledge in this area, which in turn could be taken into account when determining intent. After all, those who are more familiar with risk management will find it more difficult to exonerate themselves by claiming that they were unable to correctly assess the risk.

Standard of care for cybersecurity-related negligence offenses

Even if it is not possible to prove intent on the part of those responsible for IT security, they could be accused of disregarding the care required in traffic and contributing to patient harm through inadequate security measures. This is an accusation of negligent homicide (Section 222 StGB) or negligent bodily injury (Section 229 StGB). The hospital management has a non-delegable ultimate responsibility to prevent harm to patients by taking adequate safety precautions. Outside of this core area, however, delegations are necessary and possible, in practice primarily to the Chief Information Security Officer (CISO). They can also be accused of negligence.

Investigations in this regard will focus primarily on the standard of care that applies to a hospital in order to avoid cyber security incidents. There is a practical guide here: the industry-specific security standards (B3S). These are catalogs of measures that industry associations develop for the respective KRITIS sectors. The BSI then determines for a period of two years that the B3S are suitable for fulfilling the risk management obligations arising from the BSIG. If a hospital is not covered by the BSIG because it is not a large hospital, it must also implement IT security obligations in accordance with Section 391 SGB V. These should also be based on the B3S. The B3S is in fact the gold standard for IT security measures for all hospitals.

In addition to the general IT security objectives of availability, integrity, authenticity and confidentiality, the current B3S for the hospital sector specifies the particular security objective of patient safety. The B3S is therefore also intended to prevent physical damage due to inadequate IT security. The above-mentioned negligence offenses under criminal law also pursue this protection goal. The B3S should therefore also be used to shape the standard of care under criminal law. This also has its advantages: anyone who implements this catalog and can prove this (documentation) should not be criminally liable for any damage that nevertheless occurs.

But aren't the cyber criminals actually responsible?

In the case of cyber attacks in particular, one could argue that the damage to patients is due to the criminal, intentional actions of third parties. It is clear that cyber criminals are regularly liable to prosecution for their attacks. Nevertheless, the responsibility of hospital managers is typically not displaced if inadequate IT security measures enable the cybercriminals to act intentionally in the first place.

Read also

Even if there has not yet been any evidence of damage to health due to a cyber security incident in a hospital in Germany, the initial study results show that the risk here is indeed high. One day, such a case will probably occur. Then the focus under criminal law will no longer just be on the cyber criminals, but also on the hospital managers. In order to minimize liability risks in advance, risky management decisions regarding the design of IT security management must be made on the basis of adequate information and must be comprehensively documented. The hospital B3S serves as a guide to avoid accusations of negligence.

Note: The authors of this article, Dr. Matthias Dann, LL.M. and Tilmann Dittrich, LL.M., are lawyers at the law firm Wessing & Partner Rechtsanwälte mbB in Düsseldorf, which specializes in medical and IT criminal law.

(mho)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten